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1.0 (U) SCOPE 



This document describes the sessionization requirements for the various IPSec VPN protocols processed 
in Turmoil. The list of IPSec protocol stacks of interest is shown here: 

• IP/ESP 

• IP/AH/ESP 

• IP/UDP/ISAKMP 

• IP/UDP/nulls/ISAKMP 

• IP/TCP/I SAKMP 

• I P/TCP/nulls/l SAKM P 



Currently, IP/ESP, IP/UDP, and IP/TCP are successfully sessionized by the FIP. Other IPSec stacks have 
been observed in the field, and we have requirements to process them in Turmoil. For completeness, all 
of the stacks are discussed in this document, even though some are currently being processed. 



2.0 (S) ESP SESSIONIZATION 



2.1 (S) IP/ESP 

2.1.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 

keyword: 45 FF FF FF FF FF FF FF FF 32 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F5 

mask: FF 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 

This indicates that the packets that satisfy the following parameters will be selected by this keyword for 

processing in the ESP_AEG: 

• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = ESP (0x32) 

• ESP Sequence Number = 5 

The ESP Sequence Number requirement implements a “sampling” function on the ESP, reducing the 
ESP traffic by a factor of 1/16, to limit the ESP loading in the AEG. 
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2.1.2 (S) SESSIONIZING 

The ESP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = 50 (0x32) 

• IP Source Address 

• IP Destination Address 

• ESP Spi 



2.1.3 (S) THE STACK 

The fields utilized in sessionization are highlighted in red in the diagram below: 
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2.2 (S) IP/AH/ESP 

2.2.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 

keyword: 45 FF FF FF FF FF FF FF FF 33 FF FF FF FF FF FF FF FF FF FF 32 FF FF FF FF FF FF FF FF 
FF FF F5 

mask: FF 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 
00 00 0F 

This indicates that the packets that satisfy the following parameters will be selected by this keyword for 
processing in the ESP_AEG: 

• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = AH (0x33) 

• AH Next Payload = ESP (0x32) 

• ESP Sequence Number = 5 



2.2.2 (S) SESSIONIZING 

The AH/ESP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = 51 (0x33) 

• IP Source Address 

• IP Destination Address 

• AH Next Payload = 50 (0x32) 

• AH Spi 

• ESP Spi 



The software FSPF is currently programmed to recognize only TCP, UDP, and ESP as valid Network 
Layers. However, since our AH/ES^eywomls start at the Network (IP) Layer, those packets will make it 
through the FSPF to the AEG. ^^^^^^^|said that the change to the FSPF to recognize AH at the 
Transport Layer would be easy to implement. 



The DFCE does not currently recognize AH as a valid Transport Layer, and that change will apparently be 
difficult to implement. The new idea is to develop “application-specific demux” components for the TE, 
that will perform any desired sessionization based on parameters after the Network (IP) Layer. 
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2.2.3 (S) THE STACK 
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3.0 (S) IKE SESSIONIZATION 



3.1 (U) IP/UDP/ISAKMP 

3.1.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 

keyword: 45 FF FF FF FF FF FF FF FF 11 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 10 00 00 FF FF FF FF 00 00 

mask: FF 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 FF D8 F8 00 00 00 00 FF FF 

This indicates that the packets that satisfy the following parameters will be selected by this keyword for 
processing in the IKE_AEG: 

• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = UDP (Oxll) 

• ISAKMP Version = 0x10 

• ISAKMP Next Payload, Exchange Type, and Flags fields all have ranges of valid values 

• ISAKMP Length (header + payload) < 64k 

We have a similar keyword/mask pair for ISAKMP Version 9.9. 

3.1.2 (S) SESSIONIZING 

The UDP/ISAKMP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = UDP (0x11) 

• IP Source Address 

• IP Destination Address 

• UDP Source Port 

• UDP Destination Port 
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3.1.3 (S) THE STACK 
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3.2 (U) IP/UDP/NULLS/ISAKMP 

3.2.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 
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This indicates that the packets that satisfy the following parameters will be selected by this keyword for 
processing in the IKE_AEG: 
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• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = UDP (Oxll) 

• 4 bytes of NULLS between the UDP and ISAKMP layers 

• ISAKMP Version = 0x10 

• ISAKMP Next Payload, Exchange Type, and Flags fields all have ranges of valid values 

• ISAKMP Length (header + payload) < 64k 

We have a similar keyword/mask pair for ISAKMP Version 9.9. 

3.2.2 (S) SESSIONIZING 

The UDP/nulls/ISAKMP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = UDP (0x11) 

• IP Source Address 

• IP Destination Address 

• UDP Source Port 

• UDP Destination Port 
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3.2.3 (U) THE STACK 
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3.3 (U) IP/TCP/ISAKMP 



3.3.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 
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This indicates that the packets that satisfy the following parameters will be selected by this keyword for 
processing in the IKE_AEG: 

• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = TCP (0x06) 

• ISAKMP Version = 0x10 

• ISAKMP Next Payload, Exchange Type, and Flags fields all have ranges of valid values 

• ISAKMP Length (header + payload) < 64k 

We have a similar keyword/mask pair for ISAKMP Version 9.9. 

3.3.2 (S) SESSIONIZING 

The TCP/ISAKMP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = TCP (0x06) 

• IP Source Address 

• IP Destination Address 

• TCP Source Port 

• TCP Destination Port 
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3.3.3 (S) THE STACK 
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3.4 (U) IP/TCP/NULLS/ISAKMP 

3.4.1 (S) DETECTION 

The AEG loads the FSPF with the following keyword and mask pair for this protocol: 
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keyword: 45 FF FF FF FF FF FF FF FF 06 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 
10 00 00 FF FF FF FF 00 00 

mask: FF 00 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 
FF D8 F8 00 00 00 00 FF FF 



This indicates that the packets that satisfy the following parameters will be selected by this keyword for 
processing in the IKE_AEG: 

• IPv4 packet 

• IP Header Length = 5 

• IP Next Protocol = TCP (0x06) 

• 4 bytes of NULLS between the TCP and ISAKMP layers 

• ISAKMP Version = 0x10 

• ISAKMP Next Payload, Exchange Type, and Flags fields all have ranges of valid values 

• ISAKMP Length (header + payload) < 64k 

We have a similar keyword/mask pair for ISAKMP Version 9.9. 

3.4.2 (S) SESSIONIZING 

The TCP/nulls/ISAKMP packets would be sessionized by the following set of parameters: 

• IP Next Protocol = TCP (0x06) 

• IP Source Address 

• IP Destination Address 

• TCP Source Port 

• TCP Destination Port 
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3.4.3 (S) THE STACK 
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4.0 (U) SUMMARY 

The FIP currently recognizes UDP, TCP, and ESP as valid Network Layer protocols, and currently 
sessionizes those packet types. The new requirement for IP/AH/ESP will require changes to the FIP to 
recognize AH as a valid layer, and will also require changes to the DFCE to allow those packets through. 



There has been talk of having application-specific demuxes developed and inserted into the TE to 
perform any required sessionization beyond the Transport Layer. For example, the ESP demux would be 
responsible for sessionizing on Spi value. 



The Table below summarizes the various protocol stacks, the parts of the stacks that are used in PPF 
keyword detection, and how the associated packets should be sessionized. 



Protocol Stack 


Keyword Detection Layers 


Sessionization Requirements 


IP/ESP 


IP, ESP 


IP Next Protocol = 50 
IP Source Address 
IP Destination Address 
ESP Spi 


IP/AH/ESP 


IP, AH, ESP 


IP Next Protocol = 51 
IP Source Address 
IP Destination Address 
AH Next Header = 50 
AH Spi 
ESP Spi 


IP/UDP/ISAKMP 


IP, UDP, ISAKMP 


IP Next Protocol = 17 
IP Source Address 


* we have separate keywords for 
ISAKMP Versions 1.0 and 9.9 




IP Destination Address 
UDP Source Port 
UDP Destination Port 


IP/UDP/nulls/ISAKMP 


IP, UDP, ISAKMP 


IP Next Protocol = 17 
IP Source Address 


* we have separate keywords for 
ISAKMP Versions 1.0 and 9.9 




IP Destination Address 
UDP Source Port 
UDP Destination Port 
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IP/TCP/ISAKMP 


IP, TCP, ISAKMP 


IP Next Protocol = 6 
IP Source Address 


* we have separate keywords for 
ISAKMP Versions 1.0 and 9.9 




IP Destination Address 
TCP Source Port 
TCP Destination Port 


IP/TCP/nulls/ISAKMP 


IP, TCP, ISAKMP 


IP Next Protocol = 6 
IP Source Address 


* we have separate keywords for 
ISAKMP Versions 1.0 and 9.9 




IP Destination Address 
TCP Source Port 
TCP Destination Port 
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